Healthcare website ‘passed with flying colors’

A man looks over the Affordable Care Act signup page on the HealthCare.gov website in New York in this October 2, 2013 file photo illustration.

Mike Segar/Reuters

Congressional Republicans have invested considerable energy of late in raising security fears over healthcare.gov, so it’s a shame this news didn’t generate more attention late last week.

Nearly three months after its launch, HealthCare.gov underwent end-to-end security testing and passed with flying colors, the top cybersecurity official overseeing the website told Congress [Thursday].

Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services, told the House Oversight Committee that results from the tests have alleviated her earlier concerns about risks of cyberattacks and theft of consumers’ personal information.

“The protections that we have put in place have successfully prevented attacks,” Fryer told lawmakers on Thursday. “There have been no successful security attacks on the FFM [federal marketplace], and no person or group has maliciously accessed personally identifiable information.”

Is that so.

Let’s not forget that a month ago, Republicans on the House Oversight Committee said Fryer’s perspective was critically important – at least when they were able to edit part of a transcript to make it seem as if Fryer agreed with them about security threats.

But last week, when Fryer offered nothing but good news for healthcare.gov, it appears Republicans on the House Oversight Committee were far less eager to tout her assessment.

Given his habit of leaking bits of sensitive information that come into his hands as Oversight chairman, and then national media organizations running with the incomplete “scandalous” information they have, the administration has been worried about letting more information about the website’s construction and its security protocols into his hands. If that kind of information were to be leaked, the security threat would be very real.

That’s why Rep. Elijah Cummings, ranking member of the Oversight Committee, has demanded that the committee put a series of protections of sensitive information. Cummings has a number of concerns, including the fact that committee staff has left sensitive information in unsecured rooms, that Issa is sharing sensitive information with outside consultants who haven’t been authorized by the committee, and that the committee as a whole hasn’t adopted security protocols for dealing with this kind of information. Issa delegated to a staffer to blow off all of these concerns. Issa spokeswoman Caitlin Carroll said in response, “The committee is comfortable with the protocols we have utilized to prevent the release of sensitive technical information. […] We have also told the Minority that they are welcome to consult with us on any questions they have about information they intend to release.” Welcome to consult, but don’t expect us to listen.

As Jennifer Bendery put it two weeks ago: “[T]he most credible threat to the website’s security may be the loudest critic of the website’s security: Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Government Reform Committee.”